On Fri, Jan 5, 2018 at 4:33 AM, Borislav Petkov <b...@alien8.de> wrote: > On Thu, Jan 04, 2018 at 09:38:37PM -0800, Andy Lutomirski wrote: >> Also, I want to add vsyscall=emulate_noread that makes the vsyscall >> page be --x. And I want to add a per-process option to turn off >> vsyscalls. > > What for? > > It sounds like a bunch of work for something which is deprecated > anyway... >
emulate_noread would avoid one exploit technique that Kees saw somewhere. And per-process disablement would let a system remain compatible with old binaries without reducing security for newer binaries.
